i want to remotely ssh to my home server, and I was wondering if I could just forward port 22 with disabling password login and use pubkey authentication will be safe enough?

  • blackstar2043@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    This is my current hardened sshd configuration.

    ssh/sshd_config: https://pastebin.com/7tH36TdJ

    • Public key authentication and 2fa using oathtool are used to authenticate.
    • Logging in is only possible for members of the ‘ssh-user’ group.
    • “root” login is disabled through “PermitRootLogin”, “DenyGroups”, and “DenyUsers”.
    • “restricted” has the ability to log in from any host.
    • “user” is limited to using the internal network to log in.
    • ‘admin’ can only log in when connected via WireGuard.
    • “sftp” may login, but only uses the sftp server. There is no shell available.

    pam.d/sshd: https://pastebin.com/eqkisf4F

    • All successful pre-2FA logins will trigger the ‘ssh-login-alert’, which sends an NTFY alert containing the time, date, user, and host IP.
    • The use of /etc/users.deny prevents root login.
    • The use of /etc/users.allowed permits login by “restricted”, “user”, “admin” and “sftp”.
    • 2FA and ssh-login-alert trigger do not apply to “sftp”